diff --git a/class/defaults.yml b/class/defaults.yml index 6463f4ed..a43368c3 100644 --- a/class/defaults.yml +++ b/class/defaults.yml @@ -3,7 +3,7 @@ parameters: namespace: syn-cert-manager dns01-recursive-nameservers: "1.1.1.1:53" charts: - cert-manager: v1.8.2 + cert-manager: v1.12.4 http_proxy: "" https_proxy: "" no_proxy: "" diff --git a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/cainjector-deployment.yaml b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/cainjector-deployment.yaml index c4fd2836..5fed70b1 100644 --- a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/cainjector-deployment.yaml +++ b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/cainjector-deployment.yaml @@ -7,8 +7,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cainjector - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 name: cert-manager-cainjector namespace: syn-cert-manager spec: @@ -26,8 +26,8 @@ spec: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cainjector - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 spec: containers: - args: @@ -38,17 +38,22 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: quay.io/jetstack/cert-manager-cainjector:v1.8.2 + image: quay.io/jetstack/cert-manager-cainjector:v1.12.4 imagePullPolicy: IfNotPresent - name: cert-manager + name: cert-manager-cainjector resources: requests: cpu: 50m memory: 512Mi securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL nodeSelector: kubernetes.io/os: linux securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: cert-manager-cainjector diff --git a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/cainjector-rbac.yaml b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/cainjector-rbac.yaml index 37c89d33..31f1cb2a 100644 --- a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/cainjector-rbac.yaml +++ b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/cainjector-rbac.yaml @@ -7,8 +7,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cainjector - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 name: cert-manager-cainjector rules: - apiGroups: @@ -46,6 +46,7 @@ rules: - list - watch - update + - patch - apiGroups: - apiregistration.k8s.io resources: @@ -55,6 +56,7 @@ rules: - list - watch - update + - patch - apiGroups: - apiextensions.k8s.io resources: @@ -64,6 +66,7 @@ rules: - list - watch - update + - patch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -74,8 +77,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cainjector - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 name: cert-manager-cainjector roleRef: apiGroup: rbac.authorization.k8s.io @@ -95,8 +98,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cainjector - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 name: cert-manager-cainjector:leaderelection namespace: syn-cert-manager rules: @@ -127,8 +130,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cainjector - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 name: cert-manager-cainjector:leaderelection namespace: syn-cert-manager roleRef: diff --git a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/cainjector-serviceaccount.yaml b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/cainjector-serviceaccount.yaml index 1d8d4ad4..7f86ac83 100644 --- a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/cainjector-serviceaccount.yaml +++ b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/cainjector-serviceaccount.yaml @@ -8,7 +8,7 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cainjector - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 name: cert-manager-cainjector namespace: syn-cert-manager diff --git a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/crds.yaml b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/crds.yaml index 06963a7a..51a0a71e 100644 --- a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/crds.yaml +++ b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/crds.yaml @@ -6,8 +6,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 name: certificaterequests.cert-manager.io spec: group: cert-manager.io @@ -139,15 +139,16 @@ spec: inside the CSR spec Defaults to `digital signature` and `key encipherment` if not specified. items: - description: 'KeyUsage specifies valid usage contexts for keys. - See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 - Valid KeyUsage values are as follows: "signing", "digital signature", - "content commitment", "key encipherment", "key agreement", "data - encipherment", "cert sign", "crl sign", "encipher only", "decipher - only", "any", "server auth", "client auth", "code signing", - "email protection", "s/mime", "ipsec end system", "ipsec tunnel", - "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", - "netscape sgc"' + description: "KeyUsage specifies valid usage contexts for keys.\ + \ See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12\ + \ \n Valid KeyUsage values are as follows: \"signing\", \"digital\ + \ signature\", \"content commitment\", \"key encipherment\"\ + , \"key agreement\", \"data encipherment\", \"cert sign\", \"\ + crl sign\", \"encipher only\", \"decipher only\", \"any\", \"\ + server auth\", \"client auth\", \"code signing\", \"email protection\"\ + , \"s/mime\", \"ipsec end system\", \"ipsec tunnel\", \"ipsec\ + \ user\", \"timestamping\", \"ocsp signing\", \"microsoft sgc\"\ + , \"netscape sgc\"" enum: - signing - digital signature @@ -263,8 +264,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 name: certificates.cert-manager.io spec: group: cert-manager.io @@ -424,10 +425,11 @@ spec: Certificate. If true, a file named `keystore.jks` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The keystore - file will only be updated upon re-issuance. A file named - `truststore.jks` will also be created in the target Secret - resource, encrypted using the password stored in `passwordSecretRef` - containing the issuing Certificate Authority + file will be updated immediately. If the issuer provided + a CA certificate, a file named `truststore.jks` will also + be created in the target Secret resource, encrypted using + the password stored in `passwordSecretRef` containing + the issuing Certificate Authority type: boolean passwordSecretRef: description: PasswordSecretRef is a reference to a key in @@ -459,11 +461,11 @@ spec: the Certificate. If true, a file named `keystore.p12` will be created in the target Secret resource, encrypted using the password stored in `passwordSecretRef`. The - keystore file will only be updated upon re-issuance. A - file named `truststore.p12` will also be created in the - target Secret resource, encrypted using the password stored - in `passwordSecretRef` containing the issuing Certificate - Authority + keystore file will be updated immediately. If the issuer + provided a CA certificate, a file named `truststore.p12` + will also be created in the target Secret resource, encrypted + using the password stored in `passwordSecretRef` containing + the issuing Certificate Authority type: boolean passwordSecretRef: description: PasswordSecretRef is a reference to a key in @@ -487,6 +489,17 @@ spec: - passwordSecretRef type: object type: object + literalSubject: + description: LiteralSubject is an LDAP formatted string that represents + the [X.509 Subject field](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6). + Use this *instead* of the Subject field if you need to ensure + the correct ordering of the RDN sequence, such as when issuing + certs for LDAP authentication. See https://github.com/cert-manager/cert-manager/issues/3203, + https://github.com/cert-manager/cert-manager/issues/4424. This + field is alpha level and is only supported by cert-manager installations + where LiteralCertificateSubject feature gate is enabled on both + cert-manager controller and webhook. + type: string privateKey: description: Options to control private keys used for the Certificate. properties: @@ -634,15 +647,16 @@ spec: for the certificate. Defaults to `digital signature` and `key encipherment` if not specified. items: - description: 'KeyUsage specifies valid usage contexts for keys. - See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12 - Valid KeyUsage values are as follows: "signing", "digital signature", - "content commitment", "key encipherment", "key agreement", "data - encipherment", "cert sign", "crl sign", "encipher only", "decipher - only", "any", "server auth", "client auth", "code signing", - "email protection", "s/mime", "ipsec end system", "ipsec tunnel", - "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", - "netscape sgc"' + description: "KeyUsage specifies valid usage contexts for keys.\ + \ See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12\ + \ \n Valid KeyUsage values are as follows: \"signing\", \"digital\ + \ signature\", \"content commitment\", \"key encipherment\"\ + , \"key agreement\", \"data encipherment\", \"cert sign\", \"\ + crl sign\", \"encipher only\", \"decipher only\", \"any\", \"\ + server auth\", \"client auth\", \"code signing\", \"email protection\"\ + , \"s/mime\", \"ipsec end system\", \"ipsec tunnel\", \"ipsec\ + \ user\", \"timestamping\", \"ocsp signing\", \"microsoft sgc\"\ + , \"netscape sgc\"" enum: - signing - digital signature @@ -732,10 +746,12 @@ spec: using formula time.Hour * 2 ^ (failedIssuanceAttempts - 1). type: integer lastFailureTime: - description: LastFailureTime is the time as recorded by the Certificate - controller of the most recent failure to complete a CertificateRequest - for this Certificate resource. If set, cert-manager will not re-request - another Certificate until 1 hour has elapsed from this time. + description: LastFailureTime is set only if the lastest issuance + for this Certificate failed and contains the time of the failure. + If an issuance has failed, the delay till the next issuance will + be calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts + - 1). If the latest issuance has succeeded this field will be + unset. format: date-time type: string nextPrivateKeySecretName: @@ -789,8 +805,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 name: challenges.acme.cert-manager.io spec: group: acme.cert-manager.io @@ -1209,9 +1225,32 @@ spec: properties: accessKeyID: description: 'The AccessKeyID is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + Cannot be set when SecretAccessKeyID is set. If neither + the Access Key nor Key ID are set, we fall-back to + using env vars, shared credentials file or AWS Instance + metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' type: string + accessKeyIDSecretRef: + description: 'The SecretAccessKey is used for authentication. + If set, pull the AWS access key ID from a key within + a Kubernetes Secret. Cannot be set when AccessKeyID + is set. If neither the Access Key nor Key ID are set, + we fall-back to using env vars, shared credentials + file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others it may + be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object hostedZoneID: description: If set, the provider will manage only this zone in Route53 and will not do an lookup using the @@ -1229,9 +1268,10 @@ spec: or AWS Instance metadata type: string secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + description: 'The SecretAccessKey is used for authentication. + If neither the Access Key nor Key ID are set, we fall-back + to using env vars, shared credentials file or AWS + Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' properties: key: description: The key of the entry in the Secret @@ -1305,25 +1345,25 @@ spec: creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: - https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#attaching-to-gateways' + https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways' items: - description: "ParentRef identifies an API object (usually\ - \ a Gateway) that can be considered a parent of\ - \ this resource (usually a route). The only kind\ + description: "ParentReference identifies an API object\ + \ (usually a Gateway) that can be considered a parent\ + \ of this resource (usually a route). The only kind\ \ of parent resource with \"Core\" support is Gateway.\ \ This API may be extended in the future to support\ \ additional kinds of parent resources, such as\ \ HTTPRoute. \n The API object must be valid in\ \ the cluster; the Group and Kind must be registered\ - \ in the cluster for this reference to be valid.\ - \ \n References to objects with invalid Group and\ - \ Kind are not valid, and must be rejected by the\ - \ implementation, with appropriate Conditions set\ - \ on the containing object." + \ in the cluster for this reference to be valid." properties: group: default: gateway.networking.k8s.io description: "Group is the group of the referent.\ + \ When unspecified, \"gateway.networking.k8s.io\"\ + \ is inferred. To set the core API group (such\ + \ as for a \"Service\" kind referent), Group\ + \ must be explicitly set to \"\" (empty string).\ \ \n Support: Core" maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -1331,8 +1371,8 @@ spec: kind: default: Gateway description: "Kind is kind of the referent. \n\ - \ Support: Core (Gateway) Support: Custom (Other\ - \ Resources)" + \ Support: Core (Gateway) \n Support: Implementation-specific\ + \ (Other Resources)" maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ @@ -1345,19 +1385,64 @@ spec: type: string namespace: description: "Namespace is the namespace of the\ - \ referent. When unspecified (or empty string),\ - \ this refers to the local namespace of the\ - \ Route. \n Support: Core" + \ referent. When unspecified, this refers to\ + \ the local namespace of the Route. \n Note\ + \ that there are specific rules for ParentRefs\ + \ which cross namespace boundaries. Cross-namespace\ + \ references are only valid if they are explicitly\ + \ allowed by something in the namespace they\ + \ are referring to. For example: Gateway has\ + \ the AllowedRoutes field, and ReferenceGrant\ + \ provides a generic way to enable any other\ + \ kind of cross-namespace reference. \n Support:\ + \ Core" maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string + port: + description: "Port is the network port this Route\ + \ targets. It can be interpreted differently\ + \ based on the type of parent resource. \n When\ + \ the parent resource is a Gateway, this targets\ + \ all listeners listening on the specified port\ + \ that also support this kind of Route(and select\ + \ this Route). It's not recommended to set `Port`\ + \ unless the networking behaviors specified\ + \ in a Route must apply to a specific port as\ + \ opposed to a listener(s) whose port(s) may\ + \ be changed. When both Port and SectionName\ + \ are specified, the name and port of the selected\ + \ listener must match both specified values.\ + \ \n Implementations MAY choose to support other\ + \ parent resources. Implementations supporting\ + \ other types of parent resources MUST clearly\ + \ document how/if Port is interpreted. \n For\ + \ the purpose of status, an attachment is considered\ + \ successful as long as the parent resource\ + \ accepts it partially. For example, Gateway\ + \ listeners can restrict which Routes can attach\ + \ to them by Route kind, namespace, or hostname.\ + \ If 1 of 2 Gateway listeners accept attachment\ + \ from the referencing Route, the Route MUST\ + \ be considered successfully attached. If no\ + \ Gateway listeners accept attachment from this\ + \ Route, the Route MUST be considered detached\ + \ from the Gateway. \n Support: Extended \n\ + \ " + format: int32 + maximum: 65535 + minimum: 1 + type: integer sectionName: description: "SectionName is the name of a section\ \ within the target resource. In the following\ \ resources, SectionName is interpreted as the\ - \ following: \n * Gateway: Listener Name \n\ - \ Implementations MAY choose to support attaching\ + \ following: \n * Gateway: Listener Name. When\ + \ both Port (experimental) and SectionName are\ + \ specified, the name and port of the selected\ + \ listener must match both specified values.\ + \ \n Implementations MAY choose to support attaching\ \ Routes to other resources. If that is the\ \ case, they MUST clearly document how SectionName\ \ is interpreted. \n When unspecified (empty\ @@ -1395,9 +1480,17 @@ spec: for each Challenge to be completed. properties: class: - description: The ingress class to use when creating - Ingress resources to solve ACME challenges that use - this challenge solver. Only one of 'class' or 'name' + description: This field configures the annotation `kubernetes.io/ingress.class` + when creating Ingress resources to solve ACME challenges + that use this challenge solver. Only one of `class`, + `name` or `ingressClassName` may be specified. + type: string + ingressClassName: + description: This field configures the field `ingressClassName` + on the created Ingress resources used to solve ACME + challenges that use this challenge solver. This is + the recommended way of configuring the ingress class. + Only one of `class`, `name` or `ingressClassName` may be specified. type: string ingressTemplate: @@ -1432,7 +1525,8 @@ spec: in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between - external IPs and ingress resources. + external IPs and ingress resources. Only one of `class`, + `name` or `ingressClassName` may be specified. type: string podTemplate: description: Optional pod template used to configure @@ -1460,10 +1554,9 @@ spec: type: object spec: description: PodSpec defines overrides for the HTTP01 - challenge solver pod. Only the 'priorityClassName', - 'nodeSelector', 'affinity', 'serviceAccountName' - and 'tolerations' fields are supported currently. - All other fields will be ignored. + challenge solver pod. Check ACMEChallengeSolverHTTP01IngressPodSpec + to find out currently supported fields. All other + fields will be ignored. properties: affinity: description: If specified, the pod's scheduling @@ -1608,6 +1701,7 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic weight: description: Weight associated with matching the corresponding @@ -1749,10 +1843,12 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic type: array required: - nodeSelectorTerms type: object + x-kubernetes-map-type: atomic type: object podAffinity: description: Describes pod affinity scheduling @@ -1863,6 +1959,7 @@ spec: ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces @@ -1875,10 +1972,7 @@ spec: null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches - all namespaces. This field - is beta-level and is only - honored when PodAffinityNamespaceSelector - feature is enabled. + all namespaces. properties: matchExpressions: description: matchExpressions @@ -1950,6 +2044,7 @@ spec: ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace @@ -1960,7 +2055,7 @@ spec: the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector - means "this pod's namespace" + means "this pod's namespace". items: type: string type: array @@ -2091,6 +2186,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that the @@ -2102,10 +2198,7 @@ spec: and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches - all namespaces. This field is - beta-level and is only honored - when PodAffinityNamespaceSelector - feature is enabled. + all namespaces. properties: matchExpressions: description: matchExpressions @@ -2172,6 +2265,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace names @@ -2182,7 +2276,7 @@ spec: by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this - pod's namespace" + pod's namespace". items: type: string type: array @@ -2315,6 +2409,7 @@ spec: ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces @@ -2327,10 +2422,7 @@ spec: null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches - all namespaces. This field - is beta-level and is only - honored when PodAffinityNamespaceSelector - feature is enabled. + all namespaces. properties: matchExpressions: description: matchExpressions @@ -2402,6 +2494,7 @@ spec: ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace @@ -2412,7 +2505,7 @@ spec: the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector - means "this pod's namespace" + means "this pod's namespace". items: type: string type: array @@ -2543,6 +2636,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces that the @@ -2554,10 +2648,7 @@ spec: and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches - all namespaces. This field is - beta-level and is only honored - when PodAffinityNamespaceSelector - feature is enabled. + all namespaces. properties: matchExpressions: description: matchExpressions @@ -2624,6 +2715,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list of namespace names @@ -2634,7 +2726,7 @@ spec: by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this - pod's namespace" + pod's namespace". items: type: string type: array @@ -2658,6 +2750,22 @@ spec: type: array type: object type: object + imagePullSecrets: + description: If specified, the pod's imagePullSecrets + items: + description: LocalObjectReference contains + enough information to let you locate the + referenced object inside the same namespace. + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: array nodeSelector: additionalProperties: type: string @@ -2855,8 +2963,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 name: clusterissuers.cert-manager.io spec: group: cert-manager.io @@ -2913,6 +3021,15 @@ spec: description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates. properties: + caBundle: + description: Base64-encoded bundle of PEM CAs which can be used + to validate the certificate chain presented by the ACME server. + Mutually exclusive with SkipTLSVerify; prefer using CABundle + to prevent various kinds of security vulnerabilities. If CABundle + and SkipTLSVerify are unset, the system certificate bundle + inside the container is used to validate the TLS connection. + format: byte + type: string disableAccountKeyGeneration: description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new @@ -3019,13 +3136,14 @@ spec: Only ACME v2 endpoints (i.e. RFC 8555) are supported.' type: string skipTLSVerify: - description: Enables or disables validation of the ACME server - TLS certificate. If true, requests to the ACME server will - not have their TLS certificate validated (i.e. insecure connections - will be allowed). Only enable this option in development environments. - The cert-manager system installed roots will be used to verify - connections to the ACME server if this is false. Defaults - to false. + description: 'INSECURE: Enables or disables validation of the + ACME server TLS certificate. If true, requests to the ACME + server will not have the TLS certificate chain validated. + Mutually exclusive with CABundle; prefer using CABundle to + prevent various kinds of security vulnerabilities. Only enable + this option in development environments. If CABundle and SkipTLSVerify + are unset, the system certificate bundle inside the container + is used to validate the TLS connection. Defaults to false.' type: boolean solvers: description: 'Solvers is a list of challenge solvers that will @@ -3369,10 +3487,33 @@ spec: properties: accessKeyID: description: 'The AccessKeyID is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata see: - https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + Cannot be set when SecretAccessKeyID is set. + If neither the Access Key nor Key ID are set, + we fall-back to using env vars, shared credentials + file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' type: string + accessKeyIDSecretRef: + description: 'The SecretAccessKey is used for + authentication. If set, pull the AWS access + key ID from a key within a Kubernetes Secret. + Cannot be set when AccessKeyID is set. If neither + the Access Key nor Key ID are set, we fall-back + to using env vars, shared credentials file or + AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some + instances of this field may be defaulted, + in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object hostedZoneID: description: If set, the provider will manage only this zone in Route53 and will not do an @@ -3391,9 +3532,11 @@ spec: shared credentials file or AWS Instance metadata type: string secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + description: 'The SecretAccessKey is used for + authentication. If neither the Access Key nor + Key ID are set, we fall-back to using env vars, + shared credentials file or AWS Instance metadata, + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' properties: key: description: The key of the entry in the Secret @@ -3473,35 +3616,36 @@ spec: cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef - references a Gateway. See: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#attaching-to-gateways' + references a Gateway. See: https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways' items: - description: "ParentRef identifies an API object\ - \ (usually a Gateway) that can be considered\ - \ a parent of this resource (usually a route).\ - \ The only kind of parent resource with \"\ - Core\" support is Gateway. This API may be\ - \ extended in the future to support additional\ - \ kinds of parent resources, such as HTTPRoute.\ - \ \n The API object must be valid in the cluster;\ - \ the Group and Kind must be registered in\ - \ the cluster for this reference to be valid.\ - \ \n References to objects with invalid Group\ - \ and Kind are not valid, and must be rejected\ - \ by the implementation, with appropriate\ - \ Conditions set on the containing object." + description: "ParentReference identifies an\ + \ API object (usually a Gateway) that can\ + \ be considered a parent of this resource\ + \ (usually a route). The only kind of parent\ + \ resource with \"Core\" support is Gateway.\ + \ This API may be extended in the future to\ + \ support additional kinds of parent resources,\ + \ such as HTTPRoute. \n The API object must\ + \ be valid in the cluster; the Group and Kind\ + \ must be registered in the cluster for this\ + \ reference to be valid." properties: group: default: gateway.networking.k8s.io description: "Group is the group of the\ - \ referent. \n Support: Core" + \ referent. When unspecified, \"gateway.networking.k8s.io\"\ + \ is inferred. To set the core API group\ + \ (such as for a \"Service\" kind referent),\ + \ Group must be explicitly set to \"\"\ + \ (empty string). \n Support: Core" maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: default: Gateway description: "Kind is kind of the referent.\ - \ \n Support: Core (Gateway) Support:\ - \ Custom (Other Resources)" + \ \n Support: Core (Gateway) \n Support:\ + \ Implementation-specific (Other Resources)" maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ @@ -3514,20 +3658,70 @@ spec: type: string namespace: description: "Namespace is the namespace\ - \ of the referent. When unspecified (or\ - \ empty string), this refers to the local\ - \ namespace of the Route. \n Support:\ - \ Core" + \ of the referent. When unspecified, this\ + \ refers to the local namespace of the\ + \ Route. \n Note that there are specific\ + \ rules for ParentRefs which cross namespace\ + \ boundaries. Cross-namespace references\ + \ are only valid if they are explicitly\ + \ allowed by something in the namespace\ + \ they are referring to. For example:\ + \ Gateway has the AllowedRoutes field,\ + \ and ReferenceGrant provides a generic\ + \ way to enable any other kind of cross-namespace\ + \ reference. \n Support: Core" maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string + port: + description: "Port is the network port this\ + \ Route targets. It can be interpreted\ + \ differently based on the type of parent\ + \ resource. \n When the parent resource\ + \ is a Gateway, this targets all listeners\ + \ listening on the specified port that\ + \ also support this kind of Route(and\ + \ select this Route). It's not recommended\ + \ to set `Port` unless the networking\ + \ behaviors specified in a Route must\ + \ apply to a specific port as opposed\ + \ to a listener(s) whose port(s) may be\ + \ changed. When both Port and SectionName\ + \ are specified, the name and port of\ + \ the selected listener must match both\ + \ specified values. \n Implementations\ + \ MAY choose to support other parent resources.\ + \ Implementations supporting other types\ + \ of parent resources MUST clearly document\ + \ how/if Port is interpreted. \n For the\ + \ purpose of status, an attachment is\ + \ considered successful as long as the\ + \ parent resource accepts it partially.\ + \ For example, Gateway listeners can restrict\ + \ which Routes can attach to them by Route\ + \ kind, namespace, or hostname. If 1 of\ + \ 2 Gateway listeners accept attachment\ + \ from the referencing Route, the Route\ + \ MUST be considered successfully attached.\ + \ If no Gateway listeners accept attachment\ + \ from this Route, the Route MUST be considered\ + \ detached from the Gateway. \n Support:\ + \ Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer sectionName: description: "SectionName is the name of\ \ a section within the target resource.\ \ In the following resources, SectionName\ \ is interpreted as the following: \n\ - \ * Gateway: Listener Name \n Implementations\ + \ * Gateway: Listener Name. When both\ + \ Port (experimental) and SectionName\ + \ are specified, the name and port of\ + \ the selected listener must match both\ + \ specified values. \n Implementations\ \ MAY choose to support attaching Routes\ \ to other resources. If that is the case,\ \ they MUST clearly document how SectionName\ @@ -3569,10 +3763,19 @@ spec: by cert-manager for each Challenge to be completed. properties: class: - description: The ingress class to use when creating + description: This field configures the annotation + `kubernetes.io/ingress.class` when creating Ingress resources to solve ACME challenges that - use this challenge solver. Only one of 'class' - or 'name' may be specified. + use this challenge solver. Only one of `class`, + `name` or `ingressClassName` may be specified. + type: string + ingressClassName: + description: This field configures the field `ingressClassName` + on the created Ingress resources used to solve + ACME challenges that use this challenge solver. + This is the recommended way of configuring the + ingress class. Only one of `class`, `name` or + `ingressClassName` may be specified. type: string ingressTemplate: description: Optional ingress template used to @@ -3609,7 +3812,8 @@ spec: This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress - resources. + resources. Only one of `class`, `name` or `ingressClassName` + may be specified. type: string podTemplate: description: Optional pod template used to configure @@ -3640,11 +3844,9 @@ spec: type: object spec: description: PodSpec defines overrides for - the HTTP01 challenge solver pod. Only the - 'priorityClassName', 'nodeSelector', 'affinity', - 'serviceAccountName' and 'tolerations' fields - are supported currently. All other fields - will be ignored. + the HTTP01 challenge solver pod. Check ACMEChallengeSolverHTTP01IngressPodSpec + to find out currently supported fields. + All other fields will be ignored. properties: affinity: description: If specified, the pod's scheduling @@ -3813,6 +4015,7 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic weight: description: Weight associated with matching the corresponding @@ -3976,10 +4179,12 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic type: array required: - nodeSelectorTerms type: object + x-kubernetes-map-type: atomic type: object podAffinity: description: Describes pod affinity @@ -4116,6 +4321,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set @@ -4132,11 +4338,7 @@ spec: list means "this pod's namespace". An empty selector ({}) matches - all namespaces. This - field is beta-level - and is only honored - when PodAffinityNamespaceSelector - feature is enabled. + all namespaces. properties: matchExpressions: description: matchExpressions @@ -4227,6 +4429,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static @@ -4241,7 +4444,7 @@ spec: null or empty namespaces list and null namespaceSelector means "this pod's - namespace" + namespace". items: type: string type: array @@ -4390,6 +4593,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces @@ -4404,10 +4608,6 @@ spec: means "this pod's namespace". An empty selector ({}) matches all namespaces. - This field is beta-level - and is only honored when - PodAffinityNamespaceSelector - feature is enabled. properties: matchExpressions: description: matchExpressions @@ -4483,6 +4683,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list @@ -4494,7 +4695,7 @@ spec: the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector - means "this pod's namespace" + means "this pod's namespace". items: type: string type: array @@ -4654,6 +4855,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set @@ -4670,11 +4872,7 @@ spec: list means "this pod's namespace". An empty selector ({}) matches - all namespaces. This - field is beta-level - and is only honored - when PodAffinityNamespaceSelector - feature is enabled. + all namespaces. properties: matchExpressions: description: matchExpressions @@ -4765,6 +4963,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static @@ -4779,7 +4978,7 @@ spec: null or empty namespaces list and null namespaceSelector means "this pod's - namespace" + namespace". items: type: string type: array @@ -4928,6 +5127,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces @@ -4942,10 +5142,6 @@ spec: means "this pod's namespace". An empty selector ({}) matches all namespaces. - This field is beta-level - and is only honored when - PodAffinityNamespaceSelector - feature is enabled. properties: matchExpressions: description: matchExpressions @@ -5021,6 +5217,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list @@ -5032,7 +5229,7 @@ spec: the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector - means "this pod's namespace" + means "this pod's namespace". items: type: string type: array @@ -5058,6 +5255,23 @@ spec: type: array type: object type: object + imagePullSecrets: + description: If specified, the pod's imagePullSecrets + items: + description: LocalObjectReference contains + enough information to let you locate + the referenced object inside the same + namespace. + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: array nodeSelector: additionalProperties: type: string @@ -5313,9 +5527,23 @@ spec: required: - name type: object + serviceAccountRef: + description: A reference to a service account that will + be used to request a bound token (also known as "projected + token"). Compared to using "secretRef", using this + field means that you don't rely on statically bound + tokens. To use this field, you must configure an RBAC + rule to let cert-manager request a token. + properties: + name: + description: Name of the ServiceAccount used to + request a token. + type: string + required: + - name + type: object required: - role - - secretRef type: object tokenSecretRef: description: TokenSecretRef authenticates with Vault by @@ -5335,13 +5563,36 @@ spec: type: object type: object caBundle: - description: PEM-encoded CA bundle (base64-encoded) used to - validate Vault server certificate. Only used if the Server - URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root - certificates are used to validate the TLS connection. + description: Base64-encoded bundle of PEM CAs which will be + used to validate the certificate chain presented by Vault. + Only used if using HTTPS to connect to Vault and ignored for + HTTP connections. Mutually exclusive with CABundleSecretRef. + If neither CABundle nor CABundleSecretRef are defined, the + certificate bundle in the cert-manager controller container + is used to validate the TLS connection. format: byte type: string + caBundleSecretRef: + description: Reference to a Secret containing a bundle of PEM-encoded + CAs to use when verifying the certificate chain presented + by Vault when using HTTPS. Mutually exclusive with CABundle. + If neither CABundle nor CABundleSecretRef are defined, the + certificate bundle in the cert-manager controller container + is used to validate the TLS connection. If no key for the + Secret is specified, cert-manager will default to 'ca.crt'. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object namespace: description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments @@ -5397,12 +5648,11 @@ spec: settings. Only one of TPP or Cloud may be specified. properties: caBundle: - description: CABundle is a PEM encoded TLS certificate to - use to verify connections to the TPP instance. If specified, - system roots will not be used and the issuing CA for the - TPP instance must be verifiable using the provided root. - If not specified, the connection will be verified using - the cert-manager system root certificates. + description: Base64-encoded bundle of PEM CAs which will + be used to validate the certificate chain presented by + the TPP server. Only used if using HTTPS; ignored for + HTTP. If undefined, the certificate bundle in the cert-manager + controller container is used to validate the chain. format: byte type: string credentialsRef: @@ -5442,6 +5692,12 @@ spec: be set if the Issuer is configured to use an ACME server to issue certificates. properties: + lastPrivateKeyHash: + description: LastPrivateKeyHash is a hash of the private key + associated with the latest registered ACME account, in order + to track changes made to registered account associated with + the Issuer + type: string lastRegisteredEmail: description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes @@ -5511,15 +5767,13 @@ spec: apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - annotations: - cert-manager.io/inject-ca-from-secret: syn-cert-manager/cert-manager-webhook-ca labels: app: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 name: issuers.cert-manager.io spec: group: cert-manager.io @@ -5575,6 +5829,15 @@ spec: description: ACME configures this issuer to communicate with a RFC8555 (ACME) server to obtain signed x509 certificates. properties: + caBundle: + description: Base64-encoded bundle of PEM CAs which can be used + to validate the certificate chain presented by the ACME server. + Mutually exclusive with SkipTLSVerify; prefer using CABundle + to prevent various kinds of security vulnerabilities. If CABundle + and SkipTLSVerify are unset, the system certificate bundle + inside the container is used to validate the TLS connection. + format: byte + type: string disableAccountKeyGeneration: description: Enables or disables generating a new ACME account key. If true, the Issuer resource will *not* request a new @@ -5681,13 +5944,14 @@ spec: Only ACME v2 endpoints (i.e. RFC 8555) are supported.' type: string skipTLSVerify: - description: Enables or disables validation of the ACME server - TLS certificate. If true, requests to the ACME server will - not have their TLS certificate validated (i.e. insecure connections - will be allowed). Only enable this option in development environments. - The cert-manager system installed roots will be used to verify - connections to the ACME server if this is false. Defaults - to false. + description: 'INSECURE: Enables or disables validation of the + ACME server TLS certificate. If true, requests to the ACME + server will not have the TLS certificate chain validated. + Mutually exclusive with CABundle; prefer using CABundle to + prevent various kinds of security vulnerabilities. Only enable + this option in development environments. If CABundle and SkipTLSVerify + are unset, the system certificate bundle inside the container + is used to validate the TLS connection. Defaults to false.' type: boolean solvers: description: 'Solvers is a list of challenge solvers that will @@ -6031,10 +6295,33 @@ spec: properties: accessKeyID: description: 'The AccessKeyID is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata see: - https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + Cannot be set when SecretAccessKeyID is set. + If neither the Access Key nor Key ID are set, + we fall-back to using env vars, shared credentials + file or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' type: string + accessKeyIDSecretRef: + description: 'The SecretAccessKey is used for + authentication. If set, pull the AWS access + key ID from a key within a Kubernetes Secret. + Cannot be set when AccessKeyID is set. If neither + the Access Key nor Key ID are set, we fall-back + to using env vars, shared credentials file or + AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some + instances of this field may be defaulted, + in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object hostedZoneID: description: If set, the provider will manage only this zone in Route53 and will not do an @@ -6053,9 +6340,11 @@ spec: shared credentials file or AWS Instance metadata type: string secretAccessKeySecretRef: - description: The SecretAccessKey is used for authentication. - If not set we fall-back to using env vars, shared - credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + description: 'The SecretAccessKey is used for + authentication. If neither the Access Key nor + Key ID are set, we fall-back to using env vars, + shared credentials file or AWS Instance metadata, + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' properties: key: description: The key of the entry in the Secret @@ -6135,35 +6424,36 @@ spec: cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef - references a Gateway. See: https://gateway-api.sigs.k8s.io/v1alpha2/api-types/httproute/#attaching-to-gateways' + references a Gateway. See: https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways' items: - description: "ParentRef identifies an API object\ - \ (usually a Gateway) that can be considered\ - \ a parent of this resource (usually a route).\ - \ The only kind of parent resource with \"\ - Core\" support is Gateway. This API may be\ - \ extended in the future to support additional\ - \ kinds of parent resources, such as HTTPRoute.\ - \ \n The API object must be valid in the cluster;\ - \ the Group and Kind must be registered in\ - \ the cluster for this reference to be valid.\ - \ \n References to objects with invalid Group\ - \ and Kind are not valid, and must be rejected\ - \ by the implementation, with appropriate\ - \ Conditions set on the containing object." + description: "ParentReference identifies an\ + \ API object (usually a Gateway) that can\ + \ be considered a parent of this resource\ + \ (usually a route). The only kind of parent\ + \ resource with \"Core\" support is Gateway.\ + \ This API may be extended in the future to\ + \ support additional kinds of parent resources,\ + \ such as HTTPRoute. \n The API object must\ + \ be valid in the cluster; the Group and Kind\ + \ must be registered in the cluster for this\ + \ reference to be valid." properties: group: default: gateway.networking.k8s.io description: "Group is the group of the\ - \ referent. \n Support: Core" + \ referent. When unspecified, \"gateway.networking.k8s.io\"\ + \ is inferred. To set the core API group\ + \ (such as for a \"Service\" kind referent),\ + \ Group must be explicitly set to \"\"\ + \ (empty string). \n Support: Core" maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: default: Gateway description: "Kind is kind of the referent.\ - \ \n Support: Core (Gateway) Support:\ - \ Custom (Other Resources)" + \ \n Support: Core (Gateway) \n Support:\ + \ Implementation-specific (Other Resources)" maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ @@ -6176,20 +6466,70 @@ spec: type: string namespace: description: "Namespace is the namespace\ - \ of the referent. When unspecified (or\ - \ empty string), this refers to the local\ - \ namespace of the Route. \n Support:\ - \ Core" + \ of the referent. When unspecified, this\ + \ refers to the local namespace of the\ + \ Route. \n Note that there are specific\ + \ rules for ParentRefs which cross namespace\ + \ boundaries. Cross-namespace references\ + \ are only valid if they are explicitly\ + \ allowed by something in the namespace\ + \ they are referring to. For example:\ + \ Gateway has the AllowedRoutes field,\ + \ and ReferenceGrant provides a generic\ + \ way to enable any other kind of cross-namespace\ + \ reference. \n Support: Core" maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string + port: + description: "Port is the network port this\ + \ Route targets. It can be interpreted\ + \ differently based on the type of parent\ + \ resource. \n When the parent resource\ + \ is a Gateway, this targets all listeners\ + \ listening on the specified port that\ + \ also support this kind of Route(and\ + \ select this Route). It's not recommended\ + \ to set `Port` unless the networking\ + \ behaviors specified in a Route must\ + \ apply to a specific port as opposed\ + \ to a listener(s) whose port(s) may be\ + \ changed. When both Port and SectionName\ + \ are specified, the name and port of\ + \ the selected listener must match both\ + \ specified values. \n Implementations\ + \ MAY choose to support other parent resources.\ + \ Implementations supporting other types\ + \ of parent resources MUST clearly document\ + \ how/if Port is interpreted. \n For the\ + \ purpose of status, an attachment is\ + \ considered successful as long as the\ + \ parent resource accepts it partially.\ + \ For example, Gateway listeners can restrict\ + \ which Routes can attach to them by Route\ + \ kind, namespace, or hostname. If 1 of\ + \ 2 Gateway listeners accept attachment\ + \ from the referencing Route, the Route\ + \ MUST be considered successfully attached.\ + \ If no Gateway listeners accept attachment\ + \ from this Route, the Route MUST be considered\ + \ detached from the Gateway. \n Support:\ + \ Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer sectionName: description: "SectionName is the name of\ \ a section within the target resource.\ \ In the following resources, SectionName\ \ is interpreted as the following: \n\ - \ * Gateway: Listener Name \n Implementations\ + \ * Gateway: Listener Name. When both\ + \ Port (experimental) and SectionName\ + \ are specified, the name and port of\ + \ the selected listener must match both\ + \ specified values. \n Implementations\ \ MAY choose to support attaching Routes\ \ to other resources. If that is the case,\ \ they MUST clearly document how SectionName\ @@ -6231,10 +6571,19 @@ spec: by cert-manager for each Challenge to be completed. properties: class: - description: The ingress class to use when creating + description: This field configures the annotation + `kubernetes.io/ingress.class` when creating Ingress resources to solve ACME challenges that - use this challenge solver. Only one of 'class' - or 'name' may be specified. + use this challenge solver. Only one of `class`, + `name` or `ingressClassName` may be specified. + type: string + ingressClassName: + description: This field configures the field `ingressClassName` + on the created Ingress resources used to solve + ACME challenges that use this challenge solver. + This is the recommended way of configuring the + ingress class. Only one of `class`, `name` or + `ingressClassName` may be specified. type: string ingressTemplate: description: Optional ingress template used to @@ -6271,7 +6620,8 @@ spec: This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress - resources. + resources. Only one of `class`, `name` or `ingressClassName` + may be specified. type: string podTemplate: description: Optional pod template used to configure @@ -6302,11 +6652,9 @@ spec: type: object spec: description: PodSpec defines overrides for - the HTTP01 challenge solver pod. Only the - 'priorityClassName', 'nodeSelector', 'affinity', - 'serviceAccountName' and 'tolerations' fields - are supported currently. All other fields - will be ignored. + the HTTP01 challenge solver pod. Check ACMEChallengeSolverHTTP01IngressPodSpec + to find out currently supported fields. + All other fields will be ignored. properties: affinity: description: If specified, the pod's scheduling @@ -6475,6 +6823,7 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic weight: description: Weight associated with matching the corresponding @@ -6638,10 +6987,12 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic type: array required: - nodeSelectorTerms type: object + x-kubernetes-map-type: atomic type: object podAffinity: description: Describes pod affinity @@ -6778,6 +7129,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set @@ -6794,11 +7146,7 @@ spec: list means "this pod's namespace". An empty selector ({}) matches - all namespaces. This - field is beta-level - and is only honored - when PodAffinityNamespaceSelector - feature is enabled. + all namespaces. properties: matchExpressions: description: matchExpressions @@ -6889,6 +7237,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static @@ -6903,7 +7252,7 @@ spec: null or empty namespaces list and null namespaceSelector means "this pod's - namespace" + namespace". items: type: string type: array @@ -7052,6 +7401,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces @@ -7066,10 +7416,6 @@ spec: means "this pod's namespace". An empty selector ({}) matches all namespaces. - This field is beta-level - and is only honored when - PodAffinityNamespaceSelector - feature is enabled. properties: matchExpressions: description: matchExpressions @@ -7145,6 +7491,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list @@ -7156,7 +7503,7 @@ spec: the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector - means "this pod's namespace" + means "this pod's namespace". items: type: string type: array @@ -7316,6 +7663,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set @@ -7332,11 +7680,7 @@ spec: list means "this pod's namespace". An empty selector ({}) matches - all namespaces. This - field is beta-level - and is only honored - when PodAffinityNamespaceSelector - feature is enabled. + all namespaces. properties: matchExpressions: description: matchExpressions @@ -7427,6 +7771,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static @@ -7441,7 +7786,7 @@ spec: null or empty namespaces list and null namespaceSelector means "this pod's - namespace" + namespace". items: type: string type: array @@ -7590,6 +7935,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaceSelector: description: A label query over the set of namespaces @@ -7604,10 +7950,6 @@ spec: means "this pod's namespace". An empty selector ({}) matches all namespaces. - This field is beta-level - and is only honored when - PodAffinityNamespaceSelector - feature is enabled. properties: matchExpressions: description: matchExpressions @@ -7683,6 +8025,7 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies a static list @@ -7694,7 +8037,7 @@ spec: the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector - means "this pod's namespace" + means "this pod's namespace". items: type: string type: array @@ -7720,6 +8063,23 @@ spec: type: array type: object type: object + imagePullSecrets: + description: If specified, the pod's imagePullSecrets + items: + description: LocalObjectReference contains + enough information to let you locate + the referenced object inside the same + namespace. + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: array nodeSelector: additionalProperties: type: string @@ -7975,9 +8335,23 @@ spec: required: - name type: object + serviceAccountRef: + description: A reference to a service account that will + be used to request a bound token (also known as "projected + token"). Compared to using "secretRef", using this + field means that you don't rely on statically bound + tokens. To use this field, you must configure an RBAC + rule to let cert-manager request a token. + properties: + name: + description: Name of the ServiceAccount used to + request a token. + type: string + required: + - name + type: object required: - role - - secretRef type: object tokenSecretRef: description: TokenSecretRef authenticates with Vault by @@ -7997,13 +8371,36 @@ spec: type: object type: object caBundle: - description: PEM-encoded CA bundle (base64-encoded) used to - validate Vault server certificate. Only used if the Server - URL is using HTTPS protocol. This parameter is ignored for - plain HTTP protocol connection. If not set the system root - certificates are used to validate the TLS connection. + description: Base64-encoded bundle of PEM CAs which will be + used to validate the certificate chain presented by Vault. + Only used if using HTTPS to connect to Vault and ignored for + HTTP connections. Mutually exclusive with CABundleSecretRef. + If neither CABundle nor CABundleSecretRef are defined, the + certificate bundle in the cert-manager controller container + is used to validate the TLS connection. format: byte type: string + caBundleSecretRef: + description: Reference to a Secret containing a bundle of PEM-encoded + CAs to use when verifying the certificate chain presented + by Vault when using HTTPS. Mutually exclusive with CABundle. + If neither CABundle nor CABundleSecretRef are defined, the + certificate bundle in the cert-manager controller container + is used to validate the TLS connection. If no key for the + Secret is specified, cert-manager will default to 'ca.crt'. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object namespace: description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments @@ -8059,12 +8456,11 @@ spec: settings. Only one of TPP or Cloud may be specified. properties: caBundle: - description: CABundle is a PEM encoded TLS certificate to - use to verify connections to the TPP instance. If specified, - system roots will not be used and the issuing CA for the - TPP instance must be verifiable using the provided root. - If not specified, the connection will be verified using - the cert-manager system root certificates. + description: Base64-encoded bundle of PEM CAs which will + be used to validate the certificate chain presented by + the TPP server. Only used if using HTTPS; ignored for + HTTP. If undefined, the certificate bundle in the cert-manager + controller container is used to validate the chain. format: byte type: string credentialsRef: @@ -8104,6 +8500,12 @@ spec: be set if the Issuer is configured to use an ACME server to issue certificates. properties: + lastPrivateKeyHash: + description: LastPrivateKeyHash is a hash of the private key + associated with the latest registered ACME account, in order + to track changes made to registered account associated with + the Issuer + type: string lastRegisteredEmail: description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes @@ -8173,15 +8575,13 @@ spec: apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - annotations: - cert-manager.io/inject-ca-from-secret: syn-cert-manager/cert-manager-webhook-ca labels: app: cert-manager app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 name: orders.acme.cert-manager.io spec: group: acme.cert-manager.io diff --git a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/deployment.yaml b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/deployment.yaml index 99d8e6b1..c593b822 100644 --- a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/deployment.yaml +++ b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/deployment.yaml @@ -7,8 +7,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 name: cert-manager namespace: syn-cert-manager spec: @@ -26,16 +26,18 @@ spec: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 spec: containers: - args: - --v=2 - --cluster-resource-namespace=$(POD_NAMESPACE) - --leader-election-namespace=syn-cert-manager + - --acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.12.4 - --dns01-recursive-nameservers="1.1.1.1:53" - --dns01-recursive-nameservers-only + - --max-concurrent-challenges=60 env: - name: POD_NAMESPACE valueFrom: @@ -47,21 +49,29 @@ spec: value: '' - name: NO_PROXY value: '' - image: quay.io/jetstack/cert-manager-controller:v1.8.2 + image: quay.io/jetstack/cert-manager-controller:v1.12.4 imagePullPolicy: IfNotPresent - name: cert-manager + name: cert-manager-controller ports: - containerPort: 9402 name: http-metrics protocol: TCP + - containerPort: 9403 + name: http-healthz + protocol: TCP resources: requests: cpu: 50m memory: 512Mi securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL nodeSelector: kubernetes.io/os: linux securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: cert-manager diff --git a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/rbac.yaml b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/rbac.yaml index 0184e421..5432a3cd 100644 --- a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/rbac.yaml +++ b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/rbac.yaml @@ -7,8 +7,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 name: cert-manager-controller-issuers rules: - apiGroups: @@ -55,8 +55,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 name: cert-manager-controller-clusterissuers rules: - apiGroups: @@ -103,8 +103,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 name: cert-manager-controller-certificates rules: - apiGroups: @@ -174,8 +174,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 name: cert-manager-controller-orders rules: - apiGroups: @@ -242,8 +242,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 name: cert-manager-controller-challenges rules: - apiGroups: @@ -349,8 +349,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 name: cert-manager-controller-ingress-shim rules: - apiGroups: @@ -420,8 +420,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 rbac.authorization.k8s.io/aggregate-to-admin: 'true' rbac.authorization.k8s.io/aggregate-to-edit: 'true' rbac.authorization.k8s.io/aggregate-to-view: 'true' @@ -456,8 +456,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 rbac.authorization.k8s.io/aggregate-to-admin: 'true' rbac.authorization.k8s.io/aggregate-to-edit: 'true' name: cert-manager-edit @@ -501,8 +501,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 name: cert-manager-controller-approve:cert-manager-io rules: - apiGroups: @@ -524,8 +524,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 name: cert-manager-controller-certificatesigningrequests rules: - apiGroups: @@ -569,8 +569,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 name: cert-manager-controller-issuers roleRef: apiGroup: rbac.authorization.k8s.io @@ -590,8 +590,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 name: cert-manager-controller-clusterissuers roleRef: apiGroup: rbac.authorization.k8s.io @@ -611,8 +611,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 name: cert-manager-controller-certificates roleRef: apiGroup: rbac.authorization.k8s.io @@ -632,8 +632,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 name: cert-manager-controller-orders roleRef: apiGroup: rbac.authorization.k8s.io @@ -653,8 +653,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 name: cert-manager-controller-challenges roleRef: apiGroup: rbac.authorization.k8s.io @@ -674,8 +674,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 name: cert-manager-controller-ingress-shim roleRef: apiGroup: rbac.authorization.k8s.io @@ -695,8 +695,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 name: cert-manager-controller-approve:cert-manager-io roleRef: apiGroup: rbac.authorization.k8s.io @@ -716,8 +716,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 name: cert-manager-controller-certificatesigningrequests roleRef: apiGroup: rbac.authorization.k8s.io @@ -737,8 +737,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 name: cert-manager:leaderelection namespace: syn-cert-manager rules: @@ -768,8 +768,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 name: cert-manager:leaderelection namespace: syn-cert-manager roleRef: diff --git a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/service.yaml b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/service.yaml index 0a3d9452..ddb90b04 100644 --- a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/service.yaml +++ b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/service.yaml @@ -7,8 +7,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 name: cert-manager namespace: syn-cert-manager spec: diff --git a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/serviceaccount.yaml b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/serviceaccount.yaml index 963db503..3ec28589 100644 --- a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/serviceaccount.yaml +++ b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/serviceaccount.yaml @@ -8,7 +8,7 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 name: cert-manager namespace: syn-cert-manager diff --git a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/servicemonitor.yaml b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/servicemonitor.yaml index ba58d1a9..14c2e2f1 100644 --- a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/servicemonitor.yaml +++ b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/servicemonitor.yaml @@ -7,8 +7,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cert-manager - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 prometheus: default name: cert-manager namespace: syn-cert-manager diff --git a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/startupapicheck-job.yaml b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/startupapicheck-job.yaml index af6221e4..f3528ca9 100644 --- a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/startupapicheck-job.yaml +++ b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/startupapicheck-job.yaml @@ -11,8 +11,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: startupapicheck - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 name: cert-manager-startupapicheck namespace: syn-cert-manager spec: @@ -25,20 +25,27 @@ spec: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: startupapicheck - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 spec: containers: - args: - check - api - --wait=1m - image: quay.io/jetstack/cert-manager-ctl:v1.8.2 + image: quay.io/jetstack/cert-manager-ctl:v1.12.4 imagePullPolicy: IfNotPresent - name: cert-manager + name: cert-manager-startupapicheck securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + nodeSelector: + kubernetes.io/os: linux restartPolicy: OnFailure securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: cert-manager-startupapicheck diff --git a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/startupapicheck-rbac.yaml b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/startupapicheck-rbac.yaml index 3445d1f0..1cef4791 100644 --- a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/startupapicheck-rbac.yaml +++ b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/startupapicheck-rbac.yaml @@ -11,8 +11,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: startupapicheck - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 name: cert-manager-startupapicheck:create-cert namespace: syn-cert-manager rules: @@ -36,8 +36,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: startupapicheck - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 name: cert-manager-startupapicheck:create-cert namespace: syn-cert-manager roleRef: diff --git a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/startupapicheck-serviceaccount.yaml b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/startupapicheck-serviceaccount.yaml index 877a000c..3d2c13a6 100644 --- a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/startupapicheck-serviceaccount.yaml +++ b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/startupapicheck-serviceaccount.yaml @@ -12,7 +12,7 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: startupapicheck - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 name: cert-manager-startupapicheck namespace: syn-cert-manager diff --git a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-config.yaml b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-config.yaml index 277c5ac7..92810cc6 100644 --- a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-config.yaml +++ b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-config.yaml @@ -6,6 +6,9 @@ metadata: app: webhook app.kubernetes.io/component: webhook app.kubernetes.io/instance: cert-manager + app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: webhook + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 name: cert-manager-webhook namespace: syn-cert-manager diff --git a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-deployment.yaml b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-deployment.yaml index 6edf5f76..9f8fce87 100644 --- a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-deployment.yaml +++ b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-deployment.yaml @@ -7,8 +7,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: webhook - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 name: cert-manager-webhook namespace: syn-cert-manager spec: @@ -26,8 +26,8 @@ spec: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: webhook - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 spec: containers: - args: @@ -35,13 +35,15 @@ spec: - --secure-port=10250 - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE) - --dynamic-serving-ca-secret-name=cert-manager-webhook-ca - - --dynamic-serving-dns-names=cert-manager-webhook,cert-manager-webhook.syn-cert-manager,cert-manager-webhook.syn-cert-manager.svc + - --dynamic-serving-dns-names=cert-manager-webhook + - --dynamic-serving-dns-names=cert-manager-webhook.$(POD_NAMESPACE) + - --dynamic-serving-dns-names=cert-manager-webhook.$(POD_NAMESPACE).svc env: - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - image: quay.io/jetstack/cert-manager-webhook:v1.8.2 + image: quay.io/jetstack/cert-manager-webhook:v1.12.4 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 @@ -53,11 +55,14 @@ spec: periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 - name: cert-manager + name: cert-manager-webhook ports: - containerPort: 10250 name: https protocol: TCP + - containerPort: 6080 + name: healthcheck + protocol: TCP readinessProbe: failureThreshold: 3 httpGet: @@ -74,8 +79,13 @@ spec: memory: 64Mi securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL nodeSelector: kubernetes.io/os: linux securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault serviceAccountName: cert-manager-webhook diff --git a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-mutating-webhook.yaml b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-mutating-webhook.yaml index f8a85a71..30b1e602 100644 --- a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-mutating-webhook.yaml +++ b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-mutating-webhook.yaml @@ -9,8 +9,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: webhook - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 name: cert-manager-webhook webhooks: - admissionReviewVersions: diff --git a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-rbac.yaml b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-rbac.yaml index db517d56..8c912602 100644 --- a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-rbac.yaml +++ b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-rbac.yaml @@ -7,8 +7,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: webhook - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 name: cert-manager-webhook:subjectaccessreviews rules: - apiGroups: @@ -27,8 +27,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: webhook - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 name: cert-manager-webhook:subjectaccessreviews roleRef: apiGroup: rbac.authorization.k8s.io @@ -49,8 +49,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: webhook - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 name: cert-manager-webhook:dynamic-serving namespace: syn-cert-manager rules: @@ -81,8 +81,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: webhook - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 name: cert-manager-webhook:dynamic-serving namespace: syn-cert-manager roleRef: diff --git a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-service.yaml b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-service.yaml index 5fc4f8eb..eb04849f 100644 --- a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-service.yaml +++ b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-service.yaml @@ -7,8 +7,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: webhook - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 name: cert-manager-webhook namespace: syn-cert-manager spec: diff --git a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-serviceaccount.yaml b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-serviceaccount.yaml index 1faab3cd..89eb070c 100644 --- a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-serviceaccount.yaml +++ b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-serviceaccount.yaml @@ -8,7 +8,7 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: webhook - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 name: cert-manager-webhook namespace: syn-cert-manager diff --git a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-validating-webhook.yaml b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-validating-webhook.yaml index 1fdbfd6f..f537b9d9 100644 --- a/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-validating-webhook.yaml +++ b/tests/golden/defaults/cert-manager/cert-manager/01_helmchart/cert-manager/templates/webhook-validating-webhook.yaml @@ -9,8 +9,8 @@ metadata: app.kubernetes.io/instance: cert-manager app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: webhook - app.kubernetes.io/version: v1.8.2 - helm.sh/chart: cert-manager-v1.8.2 + app.kubernetes.io/version: v1.12.4 + helm.sh/chart: cert-manager-v1.12.4 name: cert-manager-webhook webhooks: - admissionReviewVersions: